New proof-of-concept malware demonstrates virus for OS X

Clapzok.A is a new malware approach that, with current (albeit limited) loopholes in OS X, can spread among binary files when executed, making it one of the first-known, true computer viruses for OS X.

The malware is called "Clampzok.A" and is a cross-platform malware package that alters the binary files on an affected system so when executed, the binary will infect neighboring binary files.

The malware is written in assembly code, and was originally released in 2006 for Windows and Linux systems, but was recently updated to affect 32-bit Mach-O binary files in OS X machines.

Unlike Trojan horses, spyware, and adware that hide in one location on the system and persistently run to steal information or otherwise be a nuisance, viral malware attempts to spread itself around the system. Of these, a form known as a worm will try to replicate itself, but does not infect otherwise healthy files. The classic virus, by contrast, will inject itself into the compiled code of an executable or into the structure of a file, modifying it significantly so that when the file is read, the virus is executed and further injects itself around the system, wreaking havoc on the system's ability to function.

This latest malware shows promise to do just that.

When infected, the virus will modify the __PAGEZERO segment of a healthy binary so it holds the virus code. With other modifications to this segment the virus enables both read and execution ability on this code. Next, the virus alters the command "LC_UNIXTHREAD" in the binary so it points to the location of the virus instead of the desired execution point of the binary file.

When the binary is then executed, the virus code will run and search for additional 32-bit binary files in the same environment as the infected one, and attempt the injection on them. The malware tries to target the BSD tools and other programs stored in the /bin and /usr/bin directories on OS X systems.

In this manner, if one executes simple terminal commands on an affected system, then other terminal tools could get infected.

This development marks one of the first such viral attacks that can affect the OS X platform; however, it does have its limitations, both in current function and in its ability to hide. For one, the attack only works on 32-bit Mach-O binary files. While there are still plenty of 32-bit programs for OS X, recent versions are migrating to 64-bit code.

In addition, if a system is infected with malware that uses this mode of attack, then it will be easily detectable since a scanner simply needs to check for the read and execute ability on the __PAGEZERO segment of the binary. If this exists, then the binary has been compromised and can be easily quarantined or otherwise flagged. Furthermore, this attack will break code-signed programs, so any that have a valid signature (i.e.those from the Mac App Store) will no longer work if infected.

Overall, while this development does outline a true viral attack on OS X, it is just a proof of concept effort, meaning it is not used in any known malware on OS X. Additionally, it is so far quite limited in scope, and easy to detect. Does this mean you need to lock down your system? Not at all. However, it may be wise to simply be mindful that malware efforts are ongoing for the Mac platform, and among the various Trojan horse attempts, even viral breakthroughs are occurring.